intuisec: a framework for intuitive user interaction with ... - CiteSeerX

The 18th Annual IEEE International Symposium on Personal, Indoor and Mobile Radio Communications (PIMRC’07)

INTUISEC: A FRAMEWORK FOR INTUITIVE USER INTERACTION WITH SMART HOME SECURITY USING MOBILE DEVICES Dimitris N. Kalofonos Pervasive Computing Group Nokia Research Center Cambridge Cambridge, MA 02142 [email protected] A BSTRACT This paper presents IntuiSec, a framework for intuitive user interaction with smart home security using mobile devices. The design approach of IntuiSec is to introduce a level of indirection between the user-level intent and the system-level security infrastructure. This layer of indirection, implemented by a collection of distributed middleware and user-level tools, exposes only concepts and real-world metaphors that are intuitive to non-expert users and translates their intent to the necessary underlying security settings. The IntuiSec framework presents the user with intuitive steps for setting up a secure home network, establishing trusted relationships between devices, and granting temporal, selective access for both home occupants and visitors to devices within the smart home. I.

I NTRODUCTION

As smart homes become part of our daily life [1], [2], so do the network security threats. One of the main challenges in home network security is that its users are non-expert consumers, who have no background nor interest in understanding the relevant technologies. This leads to a growing problem whereby, no matter how sophisticated are the underlying security protocols, home networks remain vulnerable because users either misconfigure or even do not use the security infrastructure at all. Recently, attempts have been made to improve the usability of security. However, many such proposals involve improving the user interface to better present the security concepts to the end-user, while still forcing him to interact directly with low-level security parameters, such as crypto keys and access control lists (ACL). We believe these attempts are inadequate as they still directly expose non-expert users to the complicated underlying security. In this paper, we present our proposal to address this issue called IntuiSec (Intuitive Security). IntuiSec places mobile phones in the center of user interaction with smart home security, because they are ubiquitous and personal, they are reminiscent of ‘remote controls’, and they feature a multitude of connectivity options, some of which resemble “touch”, a very intuitive user interaction modality. Rather than making direct interaction with security easier, IntuiSec introduces a level of indirection between the user-level intent and existing smart home security infrastructure, which exposes only concepts that are intuitive to non-expert users and translates their intent to the necessary security settings. IntuiSec is a comprehensive framework that guides users to setup secure smart homes and c 1-4244-1144-0/07/$25.00 2007 IEEE

Saad Shakhshir Computer Science and AI Lab (CSAIL) Massachusetts Institute of Technology Cambridge, MA 02142 [email protected] manage trust and access to their devices. IntuiSec does not intend to design new security mechanisms or protect a household against the most advanced adversary; instead, it aims at improving real-world security by making it easy for non-experts to take reasonable measures and use what already exists. The rest of this paper is organized as follows: Section II. presents an overview of related work; Section III. describes a usage scenario that motivated our work; Section IV. gives details about the system design of IntuiSec; Section V. presents our example implementation of the framework; finally, Section VI. gives our conclusions. II.

R ELATED W ORK

Smart home security involves research from the fields of Human Computer Interaction with Security (HCI-SEC) and smart space security. HCI-SEC research examines the security usability of applications and technologies [3] and provides general design guidelines [4]. Most of the research in this field focuses on how to better present the security concepts to the end-user. Security in smart spaces has also attracted intense research interest (e.g. [5], [6]), although the focus is not necessarily on usability. IntuiSec is most related to research on smart space security usability. In this area, the issue of 802.11 security usability has attracted a lot of interest both in the industry (e.g. [7], Wi-Fi Alliance EZ-Setup WG) and in the academia (e.g. [8]). One approach is to leverage Location Limited Channels (LLC’s) to setup security associations [9], [10]. Holmstr¨om in [11] uses the metaphor of a business card to delegate permissions between individuals. In the area of smart home security [12], the Universal Plug and Play (UPnP) Forum [13] has created specifications, although the framework’s usability was out-of-scope. IntuiSec takes a step further compared to the work above, by offering a comprehensive framework that guides non-expert users from easily setting up their secure smart homes, to intuitively managing trust and access to their devices and services. III.

M OTIVATING U SAGE S CENARIO

Bob and Alex are roommates. They want any new devices they buy to gain permanent and secure connectivity to their smart home. At the same time they want to protect their home from being accessed by non-authorized users. Once their devices are connected and can all communicate with each other securely, Bob would like to prevent Alex from accessing services provided by his devices until he explicitly grants him access. He could also opt to have his devices grant some default level of

The 18th Annual IEEE International Symposium on Personal, Indoor and Mobile Radio Communications (PIMRC’07)

access to everybody. By way of example, Bob purchases his own media server and they both jointly purchase an A/V renderer for the living room, so they both have access to it by default. Bob can now stream content from his media server and display it on the A/V renderer, however Alex cannot. Still, Alex would like to play some music from Bob’s server, so he asks Bob to give him access. He agrees, but he only wants to give Alex permission to stream music and not movies. One day, their smart fridge breaks down. The repairman comes in, but by default he is not even able to connect to their network. Alex grants the repairman access for one day to selected functionality of the fridge, so that he can connect and repair it. At the end of the day, the repairman automatically loses all access both to the fridge and their network.

H ello S AA D ! Y ou are m y firs t owner. P leas e Ins ert the P hyK ey

G reat! Now pleas e T AP m e with a hom e Mobile D evice

2 1

IV. A.

S YSTEM D ESIGN

Basic Design Concepts

IntuiSec assumes that every home device has a Location Limited Channel (LLC), e.g. Near Field Communication (NFC), RFID, Infrared. We believe this is a realistic assumption given industry momentum, decreasing costs, and proliferation of these technologies. It also assumes that communications over LLCs are inherently authentic and difficult to eavesdrop due to their very short range of a few centimeters. Finally, IntuiSec assumes there is strong platform security that protects data in the devices, and that hardware and software shipping with the devices is trustworthy. IntuiSec defines Home Devices as devices which have knowledge of a common Home Secret. This secret is given to a Home Device when the user ‘unlocks’ the home network for it, a proceedure we call Easy Setup and is described in Section B.. This may be performed using a physical object reminiscent of a key called PhyKey or other means such as manual input. Home Devices have permanent connectivity access to the home network and they alone can be used to allow Visitor Devices to access it and any of its services. Home Devices are further distinguished into: (a) Infrastructure Devices (e.g. access points); (b) Mobile Devices (e.g. mobile phones) that can be used to touch all types of Home Devices; and (c) Fixed Devices (e.g. printers) that cannot be easily moved to touch other non-Mobile Devices. The term TAP describes using a Mobile Device to touch another device. During a TAP, the system through the LLC performs security-related transactions, e.g. exchanges public keys, authenticates Home Devices, transfers link keys, etc. IntuiSec distinguishes different user roles. The first user of a new device becomes its first Owner. Owners have full access to a device and only they can grant permission to others to access it and add others to its Owner list. Users interact with service provider devices in the home through devices that act on their behalf. Therefore, it is users and not devices that are the subjects of all actions in the IntuiSec smart home. This enables access privileges to persist regardless of which device a user is using. Users can be either Home Occupants (i.e. owners of at least one Home Device) or Visitors (i.e. owners of only Visitor Devices).

3

T AP

4

C ongratulations S A A D ! Y our device is now hom e network ready

Figure 1: Easy Setup of a 802.11 printer. The HomeID (HomeID = hash(Home Secret))1 is used to uniquely identify the smart home. Each user is assigned a system-wide keypair {U KP RI , U KP U B } during the Easy Setup process described in Section B., e.g. using a username/password pair or biometric information. The UserID (U serID = hash(U KP U B )) is used to uniquely identify each user. The UserID of the Owner is called OwnerID. Each service provider device has a unique private/public keypair {P KP RI , P KP U B } that is pre-shipped with it. The ProviderID (P roviderID = hash(P KP U B )) is used to uniquely identify service provider devices. B. Easy Setup IntuiSec aims at providing a “buy-plug-and-play” user experience. When a user purchases a new device, IntuiSec guides her to perform the three simple steps described below and depicted in Figure 1 (for a new Fixed Device). • Step 1: the user performs the imprinting process, by which the new device comes to learn about its first Owner [14]. Figure 1 shows a username/password entry system, however this is not a requirement. • Step 2: the user transfers the Home Secret to the device. This can be done with the insertion of the PhyKey, as shown in Figure 1, however this is not a requirement. A PhyKey provides an intuitive analogy to door keys: the PhyKey ‘unlocks’ the home network just like the house key unlocks the front door. • Step 3: if the device being set up is an Infrastructure Device then this step is not necessary. For a Mobile Device, 1 It is also possible to assume a shared home keypair {H P RI , HP U B } and define HomeID = hash(HP U B ).

The 18th Annual IEEE International Symposium on Personal, Indoor and Mobile Radio Communications (PIMRC’07)

IntuiSec

IntuiSec

IntuiSec

Manufacturer mechanism to set the user-level “Bluetooth PIN”

Manufacturer mechanism to set the user-level “passkey”

Manufacturer mechanism to set the user-level “WEP key”

Bluetooth security framework generates session link-level keys used for authentication and encryption

WPA security framework generates and continuously changes link-level keys used for authentication and encryption

WEP security framework uses the WEP key entered by the user for authentication and encryption

Info destined for the Passlet recipient device. Removed before sending the Passlet to the target Provider.

Issues: • does not prevent user receiving passlet to give out secrets to other users. Those users would then gain limited connectivity access, but not access to the target device • requires passlet exchange using inherently secure channels (e.g. TAPing))









Bluetooth

802.11 with WPA





Encrypted using PKPUB PUBof target provider

802.11 with WEP

Only the target provider can decrypt this info

Figure 2: Ordered secrets mechanism.

Figure 3: Example high-level Passlet design.

1

the user TAPs the Infrastructure Device to acquire the necessary link-level keys, provided that the TAPing device is authenticated as a Home Device. If the device is a Fixed Device, then an already bootstrapped mobile intermediary is used as in Figure 1.

Establish passlet session

Send passlet to target device

CONTROL POINT

Receive passlet from CP

Decrypt and check integrity

NO

pass ?

YES YES

received error ?

NO pass ?

YES Authenticate remote UserID

Prove UserID

NO

Ordered List of Secrets Mechanism

NO

pass ?

pass ?

YES

YES

IntuiSec introduces a middleware layer that replaces the user interaction for creating and changing common secrets in a wireless home network. This approach is applicable to a wide variety of underlying security systems, all of which support the concept of a user-level common secret as illustrated in Figure 2. It also allows for access control privileges that expire without the need for manual revocation. IntuiSec sets and updates user-level common secrets based on an ordered list mechanism. An ordered list of user-level common secrets is generated randomly by the IntuiSec middleware running on an Infrastructure Device, which then selects the first secret in the list and sets the user-level common secret with it. The Infrastructure Device periodically (e.g. daily) selects the next secret in the list and again sets the user-level secret with it until it reaches the end, in which case it generates a new list. This is expected to happen infrequently in practice, e.g. 3 years for a list with 1000 secrets and daily rotation. The list could be renewed at any time, if the owner felt it was compromised. During Step 3 of the Easy Setup process, the entire list of ordered secrets is transferred to Home Devices. These devices store the list and move down on it until they find the currently active secret. Every time the Infrastructure Device changes the common secret, the client devices momentarily lose access and will have to again move down the list to synchronize. When the list is exchausted, each device notifies the user to TAP the Infrastructure Device to obtain the new list. This scheme also allows users to easily grant temporary access to the smart home network to Visitor Devices. For example, if a user wants to give a visitor access for three days and the secrets change daily, then IntuiSec transfers to the Visitor Device the current and the two following secrets through the Passlet mechanism described in Section E.. D.

Trust Builder

Once a device is connected to the home network, it can proceed to search for and discover devices and their services.

PROVIDER

Verify owner ’s signature

NO

C.

Digital signature of an owner of the Provider

Signed Signedby byuser userwho whocreated createdPasslet passletand andisisalso alsoowner ownerof oftarget targetrovider Provider p

Authenticate remote ProviderID

Prove ProviderID

NO

NO pass ? YES

pass ?

YES

Negotiate session keys

Negotiate session keys

NO Process error

success ?

Notify user

Update entry in passlet DB with session keys.

NO success ?

YES

YES Terminate connection

Create entry in passlet DB with session keys, permissible actions, time, etc.

Figure 4: Establishment of a Passlet session. But how can the user trust devices discovered over the network? In order to eliminate the need for Certificate Authorities (CA) in the smart home, IntuiSec offers a user-level tool called Trust Builder that leverages inherently secure “touch” based on LLCs to establish trust. The premise is that a user can trust what she has seen and touched. A user’s device obtains trustworthy information from a service provider device through a TAP, e.g. the ProviderID, OwnerID, and HomeID, which can later be used to authenticate it remotely. E.

Access Control with Passlets

To make the process of granting access easier, IntuiSec introduces Passlets [15], which are user-perceived entities that carry user-level intent. Passlets are inspired by the concept of ‘capabilities’. They behave like ‘tickets’ or ‘passes’ that give permission to the bearer to first connect to the home network and then use a subset of services provided by a device, without requiring it to be configured in advance. Passlets contain link-level connectivity information necessary to connect to the home network and are digitally signed by the owner of the device being shared. An example of a highlevel design of a passlet is shown in Figure 3 (not showing all details, e.g. nonces), where UserID is the user the Passlet is for, AP ID is the MAC address of the AP and AP secrets is a number of user-level secrets required to connect to the network for the Passlet duration, as described in Section C.. A passlet session is established, for the duration of the Passlet, when its bearer first attempts to use it (see Figure 4). Passlets can be revoked before their expiration time by their issuer, which sends

The 18th Annual IEEE International Symposium on Personal, Indoor and Mobile Radio Communications (PIMRC’07)

Easy Setup

Trust Builder

Passlet Manager

MOBILE DEVICE

UPnP Control Point App

IntuiSec Tools USER LAYER

UI-SEC API

Printer

Printer

Fridge

Fridge

Media Server

TAP

MIDDLEWARE LAYER

IntuiSec Client

UPnP Control Point Engine

Media Server

• Green indicates TAPed devices - the user can trust that they are what they claim to be. Red indicates unTAPed devices • Ownership of the discovered device is shown with a • A no entry sign indicates that the user has no access to the device • An icon of a house indicates that the device belongs to the same home as the phone

Figure 5: Example visualization of security using the IntuiSec API, before and after establishing trust with the fridge.

TAPing

IntuiSec Engine

Crypto Libraries

IntuiSec Engine

IntuiSec DB Manager

Sent Received Passlets DB Passlets DB

Unmodified UPnP Middleware

Trusted Devices DB

Figure 6: IntuiSec architecture on Symbian.

EasySetup

Engine

IRClient

IRServer

Engine

GetConnectivityInfo GetConnectivityInfo home_id

a signed message to the service provider, which in turn adds it to a revocation list. The space requirements of this list can be minimized through the use of 128-bit unique Passlet identifiers and a global maximum Passlet duration.

home_id IsOtherHome?

IsOtherHome?

yes

yes GET_CONNECTIVITY_INFO

OK serialized_conn_info

F.

IntuiSec API for Security Visualization

CLOSE HandleNewConnInfo

Finally, IntuiSec exposes an API that allows application developers to present the user with a consistent and intuitive visualization of security-related aspects of the Smart Home. For example, different visual cues may be used to express whether a discovered device is trusted, whether a device is a Home Device, or whether a user has access to a device. However, IntuiSec does not specify a particular graphical user interface (GUI) representation to be used; this is left up to the application developers. One example of how such visualizations may be presented at a UPnP Control Point is shown in Figure 5. V.

P ROTOTYPE I MPLEMENTATION

We prototyped a proof-of-concept IntuiSec implementation [16] by simulating a smart home environment using Linux laptops as Fixed and Infrastructure devices, and Nokia Symbian mobile phones as Mobile Devices. We used UPnP Control Points running on Symbian mobile devices and Services running on Linux laptops. Although our implementation also included middleware and tools on Fixed and Infrastructure devices written in Java, in the rest of this section we will describe the system architecture and implementation with a focus on the Mobile devices. The IntuiSec Mobile Device software was written for the Series 60 platform in Symbian C++. The main components of the software are depicted in Figure 6. TAPing was implemented using a Client/Server protocol over Infrared. The Easy Setup process on Mobile Devices consists of the three steps described in Section B.. Figure 7 shows the UML sequence diagram in the TAPing portion (Step 3) when a Home Device performs Easy Setup. Screenshots depicting the user interaction process with the ‘Trust Builder’ tool are shown in Figure 8. The system view of the process to build trust is illustrated in Figure 9.

CreateBTPairing SaveLinkKeys

Mobile Device (Nokia Series 60)

IrDA

Infrastructure Device (Linux Laptop)

Figure 7: Successful TAP, Easy Setup Step 3. Our prototype ‘Passlet Manager’ tool contains three tabs. The first lists Passlets that the user has sent, the second lists Passlets that the user has received, and the third displays devices that the user owns and has TAPed. These are the devices for which the user is able to generate Passlets. Screenshots of the steps a user takes to create and grant a Passlet are shown in Figure 10. The TAPing sequence performed by the IRClient in the case of handing a Passlet to a visitor is shown in Figure 11. VI.

C ONCLUSIONS

In this paper we presented IntuiSec, a framework for intuitive user interaction with smart home security using mobile devices. IntuiSec introduces user-level tools and middleware on top of existing security mechanisms, and guides non-expert users to easily setup secure smart homes and intuitively manage trust and access to their devices and services. IntuiSec strengthens real-world smart home security, not by introducing new security counter-measures, but by making it easy for non-experts to use what already exists. R EFERENCES [1] Digital Living Network Alliance Home Networked Device Interoperability Guidelines Expanded. Digital Living Network Alliance (DLNA), March 2006. [2] UPnP Device Architecture 1.0.1. UPnP Forum, Dec. 2003.

The 18th Annual IEEE International Symposium on Personal, Indoor and Mobile Radio Communications (PIMRC’07)

PassletManager

Engine

IRClient

IRServer

Engine

DBManager

SendPasslet(passlet) SendPasslet(passlet) home_id home_id IsOtherHome?

DBManager

IsOtherHome?

no

no GET_USER_ID user_id

passlet.userID = user_id

PASSLET OK serialized_passlet CONNECTIVITY_INFO OK

DIMI PHONE VIEW

serialized_conn_info

TAP

DIMI A/V RENDERER

HandleSentPasslet

CLOSE HandleReceivedPasslet

InsertSentPasslet

Figure 8: The Trust Builder tool.

InsertReceivedPasslet

Passlet Generating Device (Nokia Series 60)

Passlet Receiving Device (Nokia Series 60) IrDA

Figure 11: Granting Passlet to a visitor. TrustBuilder

Engine

IRClient

IRServer

Engine

GetDeviceInfo GetDeviceInfo home_id home_id IsOtherHome?

DBManager

IsOtherHome?

yes/no

yes/no GET_DEVICE_INFO OK serialized_dev_info CLOSE

HandleNewDevInfo InsertNewDevInfo

Mobile Device (Nokia Series 60)

IrDA

Fixed Device (Linux Laptop)

Figure 9: The process of building trust.

E xam ple s of pas s le ts of diffe re nt type s : printe r, m e dia-s e rve r

1

2

3

S A A D P H O N E V IE W

S A AD D IMI

T AP

D IMI P H O NE V IE W

Figure 10: The Passlet Manager tool.

[3] A. Whitten and J. D. Tygar. Why johnny can’t encrypt: A usability evaluation of pgp 5.0. In Proceedings of the 8th Usenix Security Symposium, pages 169–184, 1999. [4] K.-P. Yee. User interaction design for secure systems. In Proceedings of the 4th international conference on information and communications security (ICICS), December 2002. [5] J. Wang, Y. Yang, and W. Yurcik. Secure smart environments: Security requirements, challenges and experiences in pervasive computing. In Experience Workshop on Pervasive Computing, July 2005. [6] P. Nixon, W. Wagealla, C. English, and S. Terzis. Security, privacy and trust issues in smart environments. In Smart Environments: Technologies, Protocols and Applications. Wiley-Interscience, 2005. [7] Broadcom Corporation. Securing Home Wi-Fi Networks: A Simple Solution Can Save Your Identity, May 2005. www.54g.org/pdf/ Wireless-WP200-RDS.pdf. [8] C. Kuo, V. Goh, A. Tang, A. Perrig, and J. Walker. Empowering Ordinary Consumers to Securely Configure Their Mobile Devices and Wireless Networks. Technical report, CMU Cylab Tech Report (CMUCyLab-05-005), Dec. 2005. [9] D. Balfanz, D. Smetters, P. Stewart, and H. Wong. Network-in-a-box: How to set up a secure wireless network in under a minute. In Proceedings of the 13th Usenix Security Symosium, pages 207–221, 2004. [10] D. Balfanz, G. Durfee, and D. K. Smetters. In search of usable security: Five lessons from the field. In IEEE Security & Privacy, pages 19–24, September/October 2004. [11] U. Holmstr¨om. User-centered design of security software. In Human Factors in Telecommunications, May 1999. [12] C. M. Ellison. Home network security. Intel Technology Journal, 6(4):37–48, November 2002. [13] UPnP Security Ceremonies V1.0. UPnP Forum, Oct. 2003. [14] F. Stajano and R. Anderson. The resurrecting duckling: Security issues for ad-hoc wireless networks. In International Workshop on Security Protocols, 1999. [15] D. Kalofonos. IntuiWare Security Functional Specification. Technical report, Nokia Research (internal), April 2004. [16] S. Shakhshir and D. Kalofonos. IntuiSec: a Framework for Intuitive User Interaction with Smart Home Security. Technical Report NRC-TR2006-003, Nokia Research Center, April 2006. research.nokia. com/tr/NRC-TR-2006-003.pdf.